adding vault in dev mode

08_Vault/README.md

@@ -0,0 +1,131 @@
+# Helm
+
+## Installation
+helm repo add hashicorp https://helm.releases.hashicorp.com
+
+helm install vault hashicorp/vault \        
+    --set='server.dev.enabled=true' \
+    --set='ui.enabled=true' \
+    --set='ui.serviceType=LoadBalancer' \
+    --namespace vault \
+    --create-namespace
+
+Running Vault in “dev” mode. This requires no further setup, no state management, and no initialization. This is useful for experimenting with Vault without needing to unseal, store keys, et. al. All data is lost on restart — do not use dev mode for anything other than experimenting. See https://developer.hashicorp.com/vault/docs/concepts/dev-server to know more
+
+
+## Output
+```
+$ kubectl get all -n vault
+NAME                                        READY   STATUS    RESTARTS   AGE
+pod/vault-0                                 1/1     Running   0          2m39s
+pod/vault-agent-injector-8497dd4457-8jgcm   1/1     Running   0          2m39s
+
+NAME                               TYPE           CLUSTER-IP       EXTERNAL-IP    PORT(S)             AGE
+service/vault                      ClusterIP      10.245.225.169   <none>         8200/TCP,8201/TCP   2m40s
+service/vault-agent-injector-svc   ClusterIP      10.245.32.56     <none>         443/TCP             2m40s
+service/vault-internal             ClusterIP      None             <none>         8200/TCP,8201/TCP   2m40s
+service/vault-ui                   LoadBalancer   10.245.103.246   24.132.59.59   8200:31764/TCP      2m40s
+
+NAME                                   READY   UP-TO-DATE   AVAILABLE   AGE
+deployment.apps/vault-agent-injector   1/1     1            1           2m40s
+
+NAME                                              DESIRED   CURRENT   READY   AGE
+replicaset.apps/vault-agent-injector-8497dd4457   1         1         1       2m40s
+
+NAME                     READY   AGE
+statefulset.apps/vault   1/1     2m40s
+```
+
+# Configuration
+
+## Enter Pod
+
+kubectl exec -it vault-0 -n vault -- /bin/sh
+
+## Create policy
+```
+cat <<EOF > /home/vault/read-policy.hcl
+path "secret*" {
+  capabilities = ["read"]
+}
+EOF
+```
+## Apply
+
+``` 
+vault policy write read-policy /home/vault/read-policy.hcl
+```
+
+## Enable Kubernetes
+```
+vault auth enable kubernetes
+``` 
+
+## Configure Kubernetes Auth
+
+Configure to communicate with API server
+```
+vault write auth/kubernetes/config \
+   token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
+   kubernetes_host=https://${KUBERNETES_PORT_443_TCP_ADDR}:443 \   kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
+
+```
+
+## Create a Role
+Create a role(vault-role) that binds the above policy to a Kubernetes service account(vault-serviceaccount) in a specific namespace. This allows the service account to access secrets stored in Vault:
+
+```
+vault write auth/kubernetes/role/vault-role \
+   bound_service_account_names=vault-serviceaccount \
+   bound_service_account_namespaces=vault \
+   policies=read-policy \
+   ttl=1h
+```
+
+# Create Secrets 
+
+## Via CLI
+
+```
+vault kv put secret/login pattoken=ytbuytbytbf765rb65u56rv
+```
+
+## Via UI
+
+Now you can login to vault using the Token method, initially use Token=`root` to login.
+
+
+# Accessing Secrets in Pods
+
+Using the above steps, we have installed Vault and configured a Vault role(vault-role) to allow the service account(vault-serviceaccount) to access secrets stored in Vault.
+
+Additionally, we have created two secrets: login and my-first-secret with key-value pairs. Now, let's create a simple Kubernetes deployment and try to access those secrets.
+
+First, let’s create a service account named vault-serviceaccount in the vault namespace. This service account is granted permissions for the Vault role as defined in the "Create a Role" step above.
+
+Apply the above manifest using the below command
+```
+kubectl apply -f vault-sa.yaml -n vault
+```
+
+This deployment manifest creates a single replica of an Nginx pod configured to securely fetch secrets from Vault. The Vault Agent injects the secrets login and my-first-secret into the pod according to the specified templates. The secrets are stored in the pod's filesystem and can be accessed by the application running in the container. The vault-serviceaccount service account, which has the necessary permissions, is used to authenticate with Vault.
+
+
+```
+kubectl apply -f vault-secret-test-deploy.yaml -n vault
+``` 
+These annotations are used to configure the Vault Agent to inject secrets into the pod volume.
+
+-`vault.hashicorp.com/agent-inject: “true”`: Enables Vault Agent injection for this pod.
+-`vault.hashicorp.com/agent-inject-status: “update”`: Ensures the status of secret injection is updated.
+-`vault.hashicorp.com/agent-inject-secret-login: “secret/login”`: Specifies that the secret stored at `secret/login` in Vault should be injected.
+-`vault.hashicorp.com/agent-inject-template-login`: Defines the template for the injected login secret, specifying the format in which the secret will be written.
+-`vault.hashicorp.com/agent-inject-secret-my-first-secret: “secret/my-first-secret”`: Specifies that the secret stored at secret/my-first-secret in Vault should be injected.
+-`vault.hashicorp.com/agent-inject-template-my-first-secret`: Defines the template for the injected `my-first-secret`, specifying the format in which the secret will be written.
+-`vault.hashicorp.com/role: “vault-role”`: Specifies the Vault role to be used for authentication.
+-`serviceAccountName`: Uses the service account `vault-serviceaccount` which has permissions to access Vault.
+
+Use the below command to check the vault secrets from the pod volume
+```
+kubectl exec -it vault-test-84d9dc9986-gcxfv -- sh -c "cat /vault/secrets/login && cat /vault/secrets/my-first-secret" -n vault
+```

08_Vault/vault-sa.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: vault-serviceaccount
+  labels:
+    app: read-vault-secret

08_Vault/vault-secret-test-deploy.yaml

@@ -0,0 +1,35 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: vault-test
+  labels:
+    app: read-vault-secret
+spec:
+  selector:
+    matchLabels:
+      app: read-vault-secret
+  replicas: 1
+  template:
+    metadata:
+      annotations:
+        vault.hashicorp.com/agent-inject: "true"
+        vault.hashicorp.com/agent-inject-status: "update"
+        vault.hashicorp.com/agent-inject-secret-login: "secret/login"
+        vault.hashicorp.com/agent-inject-template-login: |
+          {{- with secret "secret/login" -}}
+          pattoken={{ .Data.data.pattoken }}
+          {{- end }}
+        vault.hashicorp.com/agent-inject-secret-my-first-secret: "secret/my-first-secret"
+        vault.hashicorp.com/agent-inject-template-my-first-secret: |
+          {{- with secret "secret/my-first-secret" -}}
+          username={{ .Data.data.username }}
+          password={{ .Data.data.password }}
+          {{- end }}
+        vault.hashicorp.com/role: "vault-role"
+      labels:
+        app: read-vault-secret
+    spec:
+      serviceAccountName: vault-serviceaccount
+      containers:
+      - name: nginx
+        image: nginx